Sunday, December 06, 2009

malware classification fail

i'm wondering what the anti-malware world is coming to when the leading vendor classifies something as a trojan even though it clearly discloses what damage it does.

by this logic, every copy of every operating system also ships with a trojan horse program, either in the form of the delete command or the format command.

one of the basic requirements of a trojan is that it tricks the user into executing it - the original trojan horse wouldn't have gotten very far if there was a warning sign on the outside that said it contained enemy soldiers that would sack the city when night fell. so too would suspected malware not get very far if it plainly disclosed what it does.

this game is at worst a potentially unwanted program - in other words, grayware. we can't just go around calling every bad program (or even just every bad non-viral program) a trojan anymore than we can go around calling all malware viruses. not using the proper terminology is a great way to confuse everyone and confusion is something we don't want to sow, right?!?

i have no doubt that is true. the question is, do those qualify as trojans? is simply being malicious enough or is deception also required. and in the case where the malicious activity is disclosed in an EULA, does that really count as disclosure when everyone knows that nobody reads those things.

personally, i would say that disclosure through EULA isn't sufficient to reveal the true behaviour of a suspect program so such a case would qualify as a trojan - however when a program warns you at run-time in big red letters that it's going to delete your files (which this game did) that is another matter entirely.